Application Token is Different - facebook-graph-api

On this page:
http://developers.facebook.com/docs/opengraph/using-app-tokens/
It describes how to get the app access token, yet the token it returns is different than the one in the open Graph "Get Code" example. The latter is the only one that works. How can I get the second access token using the API? When I try to use the first example, I basically get something back that looks like "application ID|secret key" which is different than the real access token.

as documentation states, you will get
access_token=YOUR_APP_ACCESS_TOKEN
string back from the API call. Even though it LOOKS like "application ID|secret key HASH" - it is a valid access token you can use to publish to user's wall. You can verify it's a proper access token using Debug toll from FB: https://developers.facebook.com/tools/debug - just paste the token there.
The reason it might not work for you is because you are trying to publish something to the user's wall who did not authorize your app. Look here: https://developers.facebook.com/docs/reference/javascript/ - for example of how to use your app ID to make user authorize the app. You need to request publish_stream permission for your app from user in order to be able to publish as the app to the user's wall.
And going back to the documentation:
Note that the app access token is for publishing purposes permitted by
the publish_actions and publish_stream permissions. You will be unable
to retrieve information about the status update post with the given ID
using the app access token. Instead, you should use a user access
token for such purposes.
hope that helps.

Related

Do Facebook provide the access token (at that instant) or one can get only after the friend's permission? (Using PHP Facebook-graph-API )

I am using PHP for accessing Facebook friends location. I want to access location of all friends. I read that it requires "access tokens" to get client's public information from here
https://developers.facebook.com/docs/facebook-login/access-tokens#apptokens
and here
https://www.sammyk.me/access-token-handling-best-practices-in-facebook-php-sdk-v4
Is that token will be provided by Facebook at that instant of time or my app needs to wait till friend's approval.
I saw this post on stack overflow: How to get user access token?
But i still i can't figure out what if friend is offline. How that token will be passed to my application?
Or is it like that "Tokens are generated by Facebook at time when my application made the request but i can only access the user information later using the same token if he has given permission (when he gets logged in)".?
I am unable to find any explanation regarding this.
Thanks.
You can´t get the location of friends at all. Friend permissions have been removed for privacy reasons, you can only get data of users who authorized your App too. Check out the changelog for more information: https://developers.facebook.com/docs/apps/changelog
That being said, there are different Access Tokens. You can get an App Token without authorization, but you need to implement an authorization process for User or Page Tokens.
More information:
https://developers.facebook.com/docs/facebook-login/access-tokens
http://www.devils-heaven.com/facebook-access-tokens/

Facebook ads api workflow

My app got white-listed for using the Ads API.
I was wondering in regarding to the authentication flow.
Say, that I need to retrieve and execute actions via the API on daily tasks ( with no user interaction) , I find the authentication process quite cumbersome.
Is there a way to work with my app access token instead of a user access token?
I want to be able to approve my app only once for each user and then to be able to work with no user interaction.
Can I achieve this?
App access token is not relevant for this case.
I had to work with the user access token.
I followed this doc: https://developers.facebook.com/docs/reference/ads-api/
Eventually , one should use some client side code in order to get a user permissions and then make another request for getting the user token.
So you'll have to call
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&scope=ads_management,offline_access&response_type=code
Get the authentication code and make another call:
https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&client_secret=YOUR_APP_SECRET&code=AUTHORIZATION_CODE
Then you'll get an access token which is valid only for two months, in opposed to what Facebook docs says in here:
https://developers.facebook.com/roadmap/offline-access-removal/
"Ads APIs are special cased to allow collection of statistics offline. PMD partners should use server-side OAuth flow in order to receive a non-expiring token rather than a token that has longer expiration time."
Too bad that the access token is not really valid forever...
According to "Exception 4" in this document , if you have Ads API access you should be able to get a non-expiring token if you use the correct workflow. Following the guidelines outlined here, if you use the server side OAuth flow, to make the following request you should get a non-expiring token:
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
thx for the feedback regarding the Access token process being cumbersome. Because this is a one to many solution - a single App ID can manage multiple ad accounts, on behalf of multiple people - we need to make calls on behalf of people.
You should be able to get a persistent access token for Ads API. If you are not getting it, please provide exact steps you are following so we can see if there is a bug or you might be missing a step.
Thx.

Facebook: Get User Access Token using Facebook.Json

I have some C# code that retrieves an access token using Facebook.JsonObject and can post to my profile wall on facebook with no problems.
However, if I try to use that same access token to retrieve details of my facebook business pages so I can post to them, then I get the message "user access token is required to request this resource".
I thought the access token I had retrieved that allowed me to post to my profile was a user access token. What is the difference, and how do I get a user access token?
This is the code I am using to get the access token:
facebook.JsonObject AuthResult = (Facebook.JsonObject)Oauth.GetApplicationAccessToken(parameters);
object Access_Token = "";
AuthResult.TryGetValue("access_token", out Access_Token);
FacebookClient FBClient = new FacebookClient(Access_Token.ToString());
More information:
I need my customer's c# application to post directly to my customer's facebook business page via code without the application "allow access" box popping up and any redirects to applicatoins taking place. Therefore I need to get the User Access Token programatically without facebook being logged in or open etc.
Any (non-sarcastic) help very gratefully received.
Thanks
I thought the access token I had retrieved that allowed me to post to my profile was a user access token.
Does that method name,
(Facebook.JsonObject)Oauth.GetApplicationAccessToken(parameters);
===========
really sound to you as if it was supposed to give back a user access token? Sorry, but to me it doesn’t …
If you are not familiar with the different types of authentication and access tokens, please read this first: https://developers.facebook.com/docs/authentication/

Facebook app (NOT user) access token expiration

Do Facebook APP access tokens expire? These tokens are different than the USER tokens; they are acquired like this:
https://graph.facebook.com/oauth/access_token?grant_type=client_credentials&client_id={0}&client_secret={1})
as described in the App Login section of the document at http://developers.facebook.com/docs/authentication/.
Are there any circumstances under which they will become invalid?
NB: This is NOT a question about USER access tokens (which are clearly documented). There was an identical question http://facebook.stackoverflow.com/questions/7322063/does-app-login-access-token-expire wrongly closed as duplicate of another question about USER access tokens.
Per the Facebook documentation:
An App Access Token is signed using your app secret and will not
expire; it will be invalidated if you re-key/reset your application
secret.
Creating an APP_ACCESS_TOKEN is really easy.
You can use your App ID/API Key and App secret
access_token = YOUR_APP_ID|YOUR_APP_SECRET
Example: 1234587968 | bghyuifjk3438483249235903502035023504305
I do know that one condition that will cause them to become invalid is if you reset the Application Secret using the Facebook developer tool.
I do not know if using the OAuth method to produce an App Token will cause it to have an expiration. However, if you scan Facebook's PHP SDK, you may notice that a non-expiring app token is made by concatenation app_id and secret:
/**
* Returns the access token that should be used for logged out
* users when no authorization code is available.
*
* #return string The application access token, useful for gathering
* public information about users and applications.
*/
protected function getApplicationAccessToken() {
return $this->appId.'|'.$this->apiSecret;
}
WARNING: I would never use this in client-code as it would publish your app secret. However, in a trust server environment, it seems like the way to go.
To test this, I went to the OpenGraph tool and erased my Access Token and typed in the concatenated value from the code sample. I then accessed my app's insights to verify that it would work:
<APP_ID>/insights/application_active_users
For me, the answer is not to find a token that doesn't expire, (since I do not trust Facebook), but to catch the expiring token and reset without taking up my users time. I found this and thought you might want to check it out.
"To ensure the best experience for your users, your app needs to be prepared to catch errors for the above scenarios. The following PHP code shows you how to handle these errors and retrieve a new access token.
When you redirect the user to the auth dialog, the user is not prompted for permissions if the user has already authorized your application. Facebook will return you a valid access token without any user facing dialog. However if the user has de-authorized your application then the user will need to re-authorize your application for you to get the access_token." Resource: https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/

Can't get user feed with application access token?

I'm (just?) trying to get a user's feed via the graph api. All the permissions are in place; I just need to get it to work.
I've found that, if I go into the graph api explorer, I can retrieve the feed if I pass over an access token corresponding to the user. However, if I use the application's access token, I get nothing -- it returns with an empty DATA value.
Is this right? Shouldn't the app's access token work? What's the point of having it around if it doesn't?
An App Access token is primarily used for taking actions on behalf of the app itself (e.g. banning users, changing app settings, posting games achievements, etc).
To access a user's posts you need a user access token from them (or from another user who's able to see that user's posts), and the access token needs the read_stream permission